GDPR Will Change Data Protection in May 2018 – Are You Ready?

In less than a year, Europe’s data protection rules will undergo their biggest changes
in two decades. Since their creation, the volume of digital information we create,
capture, and store has vastly increased. Simply put, the old regime was no longer fit
for purpose.

The solution is the mutually agreed European General Data
Protection Regulation (GDPR), which will come into force on
May 25th, 2018. It will change how businesses and public sector
organisations can handle the information of customers. To find
out more about what GDPR will mean, Linkline Journal spoke
with founder of IT security firm ISAS (Information Security
Assurance Services), Conor Flynn, who has over 25 years
experience providing information security advice to a wide
range of public and private sector organisations.
Coming into force next May, Conor explains that “GDPR is seen
as a move across Europe to improve the old data protection
acts which have been with us since the 1980s, albeit with a
number of revisions. There was quite an inconsistent
implementation across the EU with the old acts; the EU issued
a directive and then it was up to each local jurisdiction to
transpose that into a piece of legislation and make it an act
locally. For instance, it took Ireland seven years to transpose
the original directive which came out in 1981 into an
act here.”

When the EU issues a regulation it is immediately binding in all
countries, it does not need to be transposed into local
legislation, which makes GDPR significantly different to
its predecessors.

What makes GDPR interesting, according to Conor, is that it
came into force in May 2016 but will not begin to be enforced
until May 2018: “A lot of people are looking at May 2018 as
when this will become applicable and that is not the case. It
became applicable in May 2016, we are now in the adoption
phase, so next May is when the fines and audits will start based
on the regulation. Many people are working on the basis that
they only have to start working towards compliance next May,
you have to finish compliance by next May.”

There are some significant implications for the public sector in
particular: “GDPR defines that every public sector body,
regardless of size, that handles any personal identifiable
information must have a data protection officer. Now, a lot of
organisations in the public sector already have data protection
officers but often times it’s a combined role. It might be
someone who is head of IT or in HR but what is going to
particularly impactful in the Irish public sector is that those
roles are now seen as conflict roles for data protection. They
cannot exist with them”, he explains.

The regulation has called out some very specific competences
that the data protection officer must have: “They must have
quite a lot training, a good technical knowledge of systems
within the organisation and they must be of a senior level
because they have to be able to go to the management board
to report any non-compliance. They also have protection,
somewhat similar to a whistle-blower, they can’t be disciplined
or have any impact on their career for doing their job as
an officer.”

While the regulation doesn’t require legislation to come into
effect in May of next year, it does need legislation to support
some specific pieces of enactment at a local level. As Conor
explains, “For instance, the age of a child is defined differently
in varying European countries and the specific controls with
regards to how you handle the information of a child, so that
has be dealt with locally. Also, there is discretion to each
country as to whether or public sector bodies will be fined for
breaches and there is a little bit of tension here. The draft bill is
proposing that public sector bodies can’t be fined in Ireland
but the data protection office is lobbying that they should be
fined.”

In the private sector however, the fines are going to be far
more onerous and we’ve seen some very public headlines
about fines of up to €20 million and up to four percent of
global turnover. While these don’t apply so much to the public
sector, what does apply is the ability for the data subject, the
citizen, to sue the controller or processor of their data in the
event of the breach.

Explaining, Conor says; “The regulation foresees that any
settlements in a case like this should be dissuasive and should
be more than compensating the injured party for their injury.
There have to be non-compensatory payments made as well,
which means the stress or discomfort of somebody who has
suffered a breach would result in a payment which is worrying.”
Elaborating further, he adds; “There is a lot of responsibility
and accountability coming towards the various data
controllers in both public and private sectors. What is going to
make it more difficult in the public sector is there are very
specific requirements to the role, functions, competency and
independence of data protection officers while at the same
time, they are still exposed to the settlement
of lawsuits.”

So, with the possibility of serious sanctions for non-compliance
how should organisations be preparing? First and foremost,
Conor believes organisations should contact their corporate
risk register because this is a risk to the business if you don’t.
“One of the most effective ways to get senior management to
commit human or financial resources to anything is to get on a
risk register and put an appropriate risk to the business on it.
We’ve talked about what the sanctions are; you can be fined,
you could have people taking you to court, you could be
named and shamed in the data protection commissioner’s
annual report but one of the other sanctions they have is they
can actually stop you processing, if they feel you have had a
breach or you have acted in a negligent or inappropriate way.
They can come in and make you switch off your systems, so
you can imagine the impact on a business if they had to stop
processing, people need to get this up on their risk register.”

“This is not about bureaucrats or consultancy companies
selling time or IT security firms selling product; it is about the
European Union taking a stance with how Governments, organisations, law
enforcement and various bodies use people’s information.”

What is a Corporate Risk Register?
The Corporate Risk Register is designed
to record the evaluation of corporate risks to the Board or
management, and to inform those responsible for managing
those risks about actions taken and planned to mitigate
them. This in turn helps to ensure that all significant risks
have been suitably identified, assessed and managed.

Conor also believes organisations should be undertaking a
readiness assessment or audit to identify the size of the
problem and to understand the impact of applying the
principles and rights of GDPR to the data, adding “There is
quite a bit of work to be done but the worst decision
management can make is to do in nothing.

Aside from inaction, Conor is worried that many organisations
may be viewing GDPR as a project and it is not; it is process.
“This is a permanent part of your world for the future and it
can’t be something that you throw lots of capital resources at
to buy equipment and software, and your GDPR is done. GDPR
is about privacy. It is about the entitlement of the data subject.
It’s not about security, encryption or buying the latest piece of
software.”

He is also keen to stress that it might be that you make no
software adjustments and become compliant.” What a lot of
people are missing in this whole debate is GDPR also covers
paper records, not just electronic. You can’t apply encryption
to paper so you must have your processes in place; how you
engage with the citizen, how you gather your data, how you
get rid of it, how you control access to it and so on. These are
privacy issues, the technology controls will come out of how
you will manage that. It is not a technology project first and I
think that is getting lost in some of the discussion.”

GDPR will no doubt instigate huge changes across Europe and
Conor firmly believes GDPR is a good thing, simply put, he says
“it is giving the citizen back control of their data and I think this
is vitally important. This is not about bureaucrats or
consultancy companies selling time or IT security firms selling
product; it is about the European Union taking a stance with
how Governments, organisations, law enforcement and
various bodies use people’s information. It’s about putting a
little bit of manners on organisations who will have access to,
or require a large amounts of data, to make sure what they are
doing is done in an appropriate way and not excessive.”

GDPR is changing how businesses and public sector
organisations can handle the information of customers and
citizens. It is a permanent part of our world for the future and it
cannot be ignored; the potential consequences of GDPR
non-compliance are simply too high not to.